b4d584fbc6
[New Rule] Microsoft 365 - Potential ransomware activity ( #1346 )
...
* Create impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* bump to prod
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 98c217ece9
2021-10-12 21:27:11 +00:00
088c8a8354
[New Rule] AWS Route Table Modified or Deleted ( #1258 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* remove space from query
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 82e72a956b
2021-10-12 18:17:56 +00:00
7d9f7e6a56
[New Rule] Rules to detect screensaver persistence on macOS ( #1531 )
...
* add macos screensaver persistence rules
* change uuid
* update name
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* add T1546
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit cdbd5a6515
2021-10-07 14:24:41 +00:00
9c9ef21878
Update defense_evasion_execution_windefend_unusual_path.toml ( #1492 )
...
* Update defense_evasion_execution_windefend_unusual_path.toml
Add Microsoft Security Client to exclusions.
* Update defense_evasion_execution_windefend_unusual_path.toml
Update updated_date
* Updated author
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 43f0d77033
2021-10-05 19:38:58 +00:00
bd7616e912
[New Rule] AWS ElastiCache Security Group Created ( #1363 )
...
* Create persistence_elasticache_security_group_creation.toml
* Update
* Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml
* Update defense_evasion_elasticache_security_group_creation.toml
* Update defense_evasion_elasticache_security_group_creation.toml
* Re-add rule.threat
* Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* remove extra space from query
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9508002bb3
2021-10-05 17:01:33 +00:00
bd8eeae6ca
Made these pull requests before the directory restructure. ( #1517 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3b0d2006b7
2021-10-05 12:30:40 +00:00
29d1ee4ae5
[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created ( #1514 )
...
(cherry picked from commit 0a3c44e8db
2021-10-04 21:32:40 +00:00
89cba0af95
[Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin ( #1524 )
...
* Updated rule to include resizing
* lint
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d5a8f41864
2021-10-04 19:01:39 +00:00
3471522807
[New Rule] Backup Files Deletion ( #1516 )
...
* Add Backup Files Deletion Initial Rule
* Fix creation date
* Add updated_date
* Adjust description and query
* Update Description
* Update rules/windows/impact_backup_file_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add false_positives
* Update impact_backup_file_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f2b58cc0ab
2021-10-04 18:56:48 +00:00
c2fc2af03b
[New Rule] AWS ElastiCache Security Group Modified or Deleted ( #1364 )
...
* Create impact_aws_elasticache_security_group_modified_or_deleted.toml
* Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Update
* Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f41714642c
2021-10-04 18:39:40 +00:00
d0eaf3ed26
[New Rule] Volume Shadow Copy Deletion via PowerShell ( #1358 )
...
* Create defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Rename defense_evasion_volume_shadow_copy_deletion_via_powershell.toml to impact_volume_shadow_copy_deletion_via_powershell.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Add trailing /
* Update rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 6298f7b00a
2021-10-04 17:59:07 +00:00
8033c0a260
Rename new_or_modified_federation_domain.toml to correspond with tactic ( #1511 )
...
(cherry picked from commit ba9c01be50
2021-09-30 21:09:35 +00:00
ed57d46d15
[Rule Tuning] Small update on rule descriptions ( #1508 )
...
(cherry picked from commit 5e4a7e67df
2021-09-30 20:55:18 +00:00
1c70f69b2f
[New Rule] Virtual Machine Fingerprinting via Grep ( #1510 )
...
* [New Rule] Virtual Machine Fingerprinting via Grep
* format
* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added reference url
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 76a0224f60
2021-09-30 18:41:03 +00:00
6f30bf3f7f
[New Rule] Potential Lsass Memory Dump via MirrorDump ( #1504 )
...
* [New Rule] Potential Lsass Memory Dump via MirrorDump
* added tactic
* switched to kql
* added sysmon process access non ecs types
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* rule.name as suggested by Justin and converted to EQL to add comments
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 521e4dc8f1
2021-09-30 08:17:42 +00:00
09f49da822
[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted ( #1393 )
...
(cherry picked from commit d28c48f20f
2021-09-29 17:09:18 +00:00
ba458dea13
[New Rule] New or Modified Federation Domain ( #1212 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_new-or-modified-federation-domain.toml
* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update .gitignore
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update
* Update persistence_new_or_modified_federation_domain.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit a51ed86851
2021-09-29 12:17:22 +00:00
17845c2bf9
[New Rule] O365 Exchange Suspicious Mailbox Right Delegation ( #1211 )
...
(cherry picked from commit 5ac7fb639c
2021-09-27 21:19:34 +00:00
371247b0b2
[Rule Tuning] Add system index to Windows Event Logs Cleared ( #1502 )
...
(cherry picked from commit 63d6a54804
2021-09-24 17:06:02 +00:00
5b13666054
[Rule Tuning] Update threat mappings for Windows rules ( #1497 )
...
* Windows Rules Att&ck Mapping review
* Bump updated_date and fix reference URLs
* Fix subtechnique
* Fix test errors
(cherry picked from commit 61afb1c1c0
2021-09-23 17:09:43 +00:00
216d06ef30
[New Rule] AWS STS GetSessionToken Abuse ( #1213 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create lateral_movement_sts_getsessiontoken_abuse.toml
* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update .gitignore
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update
* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 93b8038d7d
2021-09-22 19:29:04 +00:00
0610e66ec2
[New Rule] Okta User Attempted Unauthorized Access ( #1209 )
...
(cherry picked from commit 3e2cf4f53e
2021-09-22 06:45:27 +00:00
98735808ab
[Rule Tuning] Fix typos in rule metadata ( #1494 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 8e3b1d28c4
2021-09-21 19:32:05 +00:00
c1a0398c3f
Additional Att&ck Mappings for credential access Rules ( #1495 )
...
Updates MITRE Technique IDs for Credential Access DRs
(cherry picked from commit f6421d8c53
2021-09-21 16:05:25 +00:00
2bb9fdb724
Add default timestamp condition for threat_query ( #1486 )
...
(cherry picked from commit 10a977914b
2021-09-20 19:20:58 +00:00
c864538606
[rule-tuning] Adding more context with triage/investigation ( #1481 )
...
* [rule-tuning] Adding more context with triage/investigation
* Adding mimikatz rule
* Fixed updated date on mimikatz rule
* Adding Defender update
* Adding scheduled task
* Adding AdFind
* Adding rare process
* Adding cloudtrail country
* Adding cloudtrail spike
* Adding threat intel
* Fixed minor spelling/syntax
* Fixed minor spelling/syntax p2
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_rare_process_by_host_windows.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Removed MITRE link, added Microsoft
* Update ml_cloudtrail_error_message_spike.toml
* Update ml_cloudtrail_rare_method_by_country.toml
* Update ml_rare_process_by_host_windows.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update discovery_adfind_command_activity.toml
* Update lateral_movement_dns_server_overflow.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9ff3873ee7
2021-09-16 01:08:23 +00:00
31202bf4f6
[Rule tuning] Fix typo in ML rule descriptions ( #1484 )
...
(cherry picked from commit 51a2bc815b
2021-09-14 16:37:55 +00:00
105a1fd023
[New Rule] Behavior Rule for CVE-2021-40444 Exploitation ( #1479 )
...
* [New Rule] Behavior Rule for CVE-2021-40444 Exploitation
* added a ref
* replaced \ with /
* removed unecessary wildcard
(cherry picked from commit 0875c1e4c4
2021-09-08 19:27:16 +00:00
88bfc67638
Adding control.exe ( #1477 )
...
(cherry picked from commit cb27c686e0
2021-09-08 18:31:51 +00:00
2ef59e918f
Revert #1440 new endpoint promotion rule ( #1470 )
...
* Revert #1440 new endpoint promotion rule
* Set the updated_at date
Removed changes from:
- rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml
(selectively cherry picked from commit c9d6527280
2021-09-03 14:08:22 +00:00
2a2bcbd870
[Rule tuning] Fix spacing in reference URLs ( #1455 )
...
(cherry picked from commit 655f7d91d0
2021-09-01 00:00:06 +00:00
20a814c47f
[Rule tuning] Azure Active Directory High Risk Sign-in ( #1463 )
...
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types
(cherry picked from commit 8b2c8c2e03
2021-08-30 22:34:47 +00:00
1f7c404548
Remove the 7.15+ behavior protection promotion rule
2021-08-26 08:51:38 -06:00
34ab6c81d3
[New Rule] Endpoint Security Behavior Protection ( #1440 )
...
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 3b338baab0
2021-08-25 15:58:03 +00:00
689e690f8c
[New rule] Webshell Detection ( #1448 )
...
* [new-rule] Webshell Detection
* Update rules/windows/persistence_webshell_detection.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Added FP note section
* Update rules/windows/persistence_webshell_detection.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 8ddffc298b
2021-08-24 20:19:32 +00:00
cc75f645b6
[Rule Tuning] Add technique T1005 to 2 rules ( #1405 )
...
(cherry picked from commit 8099e1c733
2021-08-20 08:20:32 +00:00
94190321c1
[Rule Tuning] AWS Security Group Configuration Change Detection ( #1426 )
...
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration
(cherry picked from commit 3b29498907
2021-08-15 04:35:07 +00:00
604fd2a18f
Fix typos discovered by codespell ( #1430 )
...
(cherry picked from commit ddec37b731
2021-08-15 04:30:11 +00:00
e170935f1f
[New Rule] AWS EC2 Security Group Configuration Change Detection ( #1144 )
...
(cherry picked from commit 67ba66c8e7
2021-08-12 19:38:05 +00:00
9e6c107de5
[New Rule] Whitespace Padding in Process Command Line ( #1392 )
...
* Create defense_evasion_whitespace_padding_in_command_line.toml
* add newline
* update description
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 14493689b9
2021-08-11 16:16:05 +00:00
121431b40b
Refresh ATT&CK mappings to v9.0 ( #1401 )
...
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
(cherry picked from commit d31ea6253e
2021-08-04 22:17:11 +00:00
742253c61d
[Rule tuning] Revise rule description and other text ( #1398 )
...
(cherry picked from commit f8f643041a
2021-08-03 21:08:48 +00:00
fcd2071ca9
[Rule Tuning] NTDS or SAM Database File Copied ( #1378 )
...
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit d2365783fa
2021-08-03 20:29:19 +00:00
05d01bbfe0
[Rule Tuning] Rule description tweaks ( #1388 )
...
(cherry picked from commit b736d6e748
2021-07-29 18:57:11 +00:00
0ae93632fc
[Rule Tuning] Remove \Program Files*\ style wildcards ( #1369 )
...
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex
(cherry picked from commit 7b62fe296d
2021-07-22 17:56:25 +00:00
8deeab2c4d
[Rule Tuning] Update EQL rules with lookback < maxspan ( #1362 )
...
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit 4aab1278bf
2021-07-22 17:10:08 +00:00
600acca704
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
(cherry picked from commit 1882f4456c
2021-07-21 21:25:48 +00:00
6d9997435f
[Rule Tuning] Convert unusual extension rule to regex ( #1368 )
...
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
(cherry picked from commit 9f3d5328f4
2021-07-21 17:50:36 +00:00
fc2f5866a2
[Rule Tuning] Creation of Hidden Files and Directories ( #1357 )
...
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex
(cherry picked from commit 9b559d0cd9
2021-07-21 17:48:37 +00:00
f0270973bb
[Rule Tuning] Update Google Workspace rules to use google_workspace event schema ( #1374 )
...
* use google_workspace event schema
* update to use google_workspace schema
(cherry picked from commit 23626b814c
2021-07-21 17:39:45 +00:00
Austin Songer